In many ways, the lines between identity management and physical access have begun to blur.
Photo credit: (Image courtesy bigstockphoto.com)
I can’t recall exactly when it happened, but at some point the term “identity management” became a wildly popular (and overused) buzz word in physical access. I have to admit, it’s catchy, very easy on the ears, and makes everything seem as though it is relevant to any security aspiration.
The black and white lines that once existed between physical access and identity management have begun to disappear. However, they still exist, but they have become blurred and consist of many shades of gray. By virtue of referring to almost every product or activity as that of identity management, it prevents meaningful dialogue from occurring and driving toward specific ideas and objectives.
After all, this isn’t the first time this has happened. Remember “convergence?” Vendors were pitching, partners were pushing, and end-users were listening. However, the irony was that most of the vendors weren’t listening to the end-users. The feedback I have received from many global security managers (CSOs, CIOs, CISOs, etc.) was that proposed solutions did not address core program objectives, nor could the vendors explain how the solution would technically solve their business objectives. Translation – they weren’t relevant and would not be a good investment.
I don’t want anyone to get the impression that I am against convergence because this would be false. I will go on record that the frenzy was poorly executed and shot itself in the foot. At the same time, I also believe convergence is happening, but in a much different way than the market had anticipated (which will be a topic for another time). My point is that buzz needs to demonstrate relevance to an organization’s specific objectives. If identity management aims to achieve operational efficiency, then the enterprise must first achieve organizational effectiveness by establishing common, cross-functional, and collaborative goals. The core of this is speaking the same language and using the same definitions at a detailed level. Blanket buzz terms that span just about every product don’t contribute terribly well other than to get everyone to the table with perhaps some level of enthusiasm. And when they get there, they sometimes realize they are pretty far apart.
Several months ago I was briefed by a CSO that explained he had setup a cross-functional meeting between IT and physical security with the objective of trying to reduce costs while improving policy enforcement to meet growing compliance measures through operational improvements in identity management. It didn’t go too well.
In the meeting, physical and IT took turns overviewing their challenges and what they would like to fix. The meeting evolved into each side expressing concerns that there was a disconnect. Each side was struggling to know how directories, attributes and SAML (Security Assertion Markup Language) or lanyards, badges and turnstiles respectively were relevant to the topic of identity management. People got frustrated and the meeting ended. There were a couple follow-on attempts but fatigue took over and the two groups were resigned to just not work with one another thinking the other didn’t “get it”.
The CSO wanted to see if I could help get it back on track. We agreed that the lesson was that transitioning from buzz to real dialogue mandates some conscious cultivation. We drafted some ground rules for the next meeting that proceed to be successful. Here is a summary of some of them.
• Create a shadowing program to foster understanding and respect for one another’s roles
• Get them thinking how to solve problems together through mutual insight, not in a meeting vacuum.
• Encourage language that is descriptive and specific. Get away from high-level terminology.
• Develop common vocabulary between groups.
• Inventory current processes and explain what is trying to be achieved
• Highlight the overlaps to use as integration points.
• Outline the gaps that do not meet current requirements and how to remediate.
• Develop common principles and goals before talking integration and convergence
• Involve stakeholders; define current and desired future state policies and processes
• Collaborate on identity lifecycle vision, document it.
• Talk integration, automation, define what is being gained. Go through review process.
Product and Vendor Interaction:
• When a vendor states that their product is an identity management solution, request they explain in detail how their product contributes to the act of managing identities
• Provide them with feedback so they have insight and can productively contribute, or get out of the way and develop more relevant solutions. They need direction too.
• Note: Be conscious of how many identity sources you have and require.
The most important lesson from all of this is that regardless of how people classify a product it doesn’t really matter. What does matter is that identity management should be treated as a focused program, not the activity of procuring products to keep the wheels turning. To do so requires everyone working toward the same goals and from there it will sort itself out, sales pitches fade, and relevance comes naturally. No one is going to do this but you and is your sole responsibility to filter and sort what it means to you, not just go along.
About the Author: Terry Gold is an independent analyst and researcher covering security, identity and privacy.